redline | 1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94 | Triage

Sharing

Copy URL Twitter E-mail

General

Target

1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
Size

2.3MB
Sample

230713-yxgjwabg5y
MD5

3c55617e6b69330386a0350e9f6aa0b4
SHA1

99bff391433cfc610b27f3b2b7ebc3239314f831
SHA256

1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
SHA512

46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28
SSDEEP

49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir

Score

10^/10

redline 120723_rc_11 evasion infostealer spyware themida trojan

Malware Config

Extracted

Family

redline

Botnet

120723_rc_11

C2

rcam.tuktuk.ug:11290

Attributes

auth_value
3a7b4b38a7116be1f337083fb37de790

Targets

- Target
  
  1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
- Size
  
  2.3MB
- MD5
  
  3c55617e6b69330386a0350e9f6aa0b4
- SHA1
  
  99bff391433cfc610b27f3b2b7ebc3239314f831
- SHA256
  
  1ca6070d9a141d51ccc4f75ab90095cc7fa3791c54ec10ee042b96a815822c94
- SHA512
  
  46eac86da241ab7b98d449e31111c9da154109b493bf62e807cffcdb43767167c994a165d78ec9a4ce24ea4f64ec76edee39daf9408bad3d6e65b64b1b6b1c28
- SSDEEP
  
  49152:X4MR20Q9Xz2p2pizrXPHaBXtHqNQ6cBUX0biao10PzFyPawde5Gir:X41MEpyHaZUNFcBUEfoIgPFTir
Score

10^/10

redline 120723_rc_11 evasion infostealer spyware themida trojan
- RedLine
  RedLine Stealer is a malware family written in C#, first appearing in early 2020.
  infostealer redline
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
  evasion
- Checks BIOS information in registry
  BIOS information is often read in order to detect sandboxing environments.
- Themida packer
  Detects Themida, an advanced Windows software protection system.
  themida
- Accesses cryptocurrency files/wallets, possible credential harvesting
  spyware
- Checks whether UAC is enabled
  evasion trojan
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetThreadContext
behavioral1

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

Credential Access

Credentials in Files

Discovery

Query Registry

System Information Discovery

Virtualization/Sandbox Evasion

Lateral Movement

Collection

Data from Local System

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

redline120723_rc_11evasioninfostealerspywarethemidatrojan